Global Audit Logging provides NetWitness Suite Auditors with consolidated visibility into user activities within NetWitness Suite in real-time from one centralized location. This visibility includes audit logs gathered from the NetWitness Suite system and the different services throughout the NetWitness Suite infrastructure.
NetWitness Suite audit logs collect in a centralized system that converts them into the required format and forwards them to an external syslog system. The external syslog system can be a third-party syslog server or a Log Decoder.
You configure global audit logging in the Global Audit Logging Configurations panel. An audit logging template defines the format and message fields of the audit log entries. A Syslog Notification Server configuration defines the destination to send the audit logs. If you want to forward audit logs to a Log Decoder, configure a Syslog type of Notification Server for the Log Decoder.
The following are some of the user actions logged from NetWitness Suite:
- User login success
- User login failure
- User logouts
- Maximum Login failures exceeded
- All UI pages accessed
- Committed configuration changes (including when a user changes their own password)
- Queries performed by the user
- User access denied
- Data export operations
After you create a global audit logging configuration, audit logs containing these user actions automatically go to the external syslog system in the format specified in the selected Audit Logging template. You can create multiple global audit logging configurations for different destinations that use different templates. For example, you can create a global audit logging configuration for an external Syslog server with a template that contains all of the available meta keys and another configuration for a Log Decoder with a template that contains selected meta keys.
For Log Decoders, you use the Default Audit CEF Template. You can add or remove fields from the Common Event Format (CEF) template if you have specific requirements. Define a Template for Global Audit Logging provides instructions and Supported CEF Meta Keys describes the CEF meta keys available to use in the audit logging templates.
For third-party syslog servers, you can use a default audit logging template or define your own format (CEF or non-CEF). Define a Template for Global Audit Logging provides instructions and Supported Global Audit Logging Meta Key Variables describes the available variables.
Auditors can view the audit logs on the selected Log Decoder or third-party syslog server. If using a Log Decoder, auditors can view the audit logs using NetWitness Suite Investigations or Reports.
The following figure shows global audit logs in Investigation (INVESTIGATE > Events).
For examples of some of the user actions logged, see Add New Configuration Dialog. For a list of message types being logged by the various NetWitness Suite components, see Global Audit Logging Operation Reference.
Global Audit Logging - High-Level Procedure
Global Audit Logging is configured in the Global Audit Logging Configurations panel, which is accessed from ADMIN> System view > Global Auditing. Before you can configure Global Audit Logging, you need to configure a Syslog Notification Server and an Audit Logging template. A Syslog Notification Server defines the destination to send the audit logs. An Audit Logging template defines the format and message fields of the audit log entry.
The Global Audit Logging Configuration panel provides a view settings link that takes you to the Global Notifications panel (Administration System view > Global Notifications) where you can configure the Syslog Notification Server and Audit Logging template.
Perform the following procedures in the order shown to configure Global Audit Logging.